CVE-2019-12524
First published: Wed Apr 15 2020(Updated: )
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Squid-Cache Squid | <=4.7 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| ubuntu/squid | <4.8 | 4.8 |
| ubuntu/squid3 | <3.5.27-1ubuntu1.7 | 3.5.27-1ubuntu1.7 |
| debian/squid | 4.6-1+deb10u7 4.6-1+deb10u10 4.13-10+deb11u2 4.13-10+deb11u3 5.7-2 5.7-2+deb12u1 6.6-1 6.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://security.netapp.com/advisory/ntap-20210205-0006/
- https://usn.ubuntu.com/4446-1/
- https://www.debian.org/security/2020/dsa-4682
- https://launchpad.net/bugs/cve/CVE-2019-12524
- http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch
- https://security-tracker.debian.org/tracker/CVE-2019-12524
- https://ubuntu.com/security/notices/USN-4446-1
- https://www.cve.org/CVERecord?id=CVE-2019-12524
- https://nvd.nist.gov/vuln/detail/CVE-2019-12524
- https://ubuntu.com/security/CVE-2019-12524
Frequently Asked Questions
What is CVE-2019-12524?
CVE-2019-12524 is a vulnerability discovered in Squid through version 4.7.
What is the severity of CVE-2019-12524?
CVE-2019-12524 has a severity rating of critical with a CVSS score of 9.8.
What is the affected software for CVE-2019-12524?
The affected software for CVE-2019-12524 includes Squid versions up to and including 4.7, Debian Linux versions 9.0 and 10.0, and Canonical Ubuntu Linux versions 16.04 and 18.04.
How does CVE-2019-12524 impact Squid?
CVE-2019-12524 allows unauthorized users to access detailed server information meant for the maintainer through the Cache Manager in Squid.
How can CVE-2019-12524 be fixed?
To fix CVE-2019-12524, it is recommended to update Squid to version 4.8 or apply the provided patch. Additionally, Debian and Ubuntu users should update to the specified versions of Squid.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/last-modified-date
- agent/first-publish-date
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/squid-cache
- canonical/squid-cache squid
- version/squid-cache squid/4.7
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- package-manager/debian
- package-manager/ubuntu